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field,  finding  roots  of  a  polynomial,  and  factoring  a  polynomial 
into  its  irreducible  factors  over  a  finite  field.  All  of  these 
problems  are  of  importance  in  algebraic  coding  theory,  algebraic 
symbol  manipulation,  and  number  theory.  These  algorithms  have  a 
very  transparent,  easy  to  proqram  structure.  For  finite  fields  of 
large  characteristic  p,  so  that  exhaustive  search  throng  zp  is  not 
feasible,  our  algorithms  are  of  lower  order  in  the  degrees  of  the 
polynomial  and  fields  in  question,  than  previously  published  algorithms 
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PROBABILISTIC  ALGORITHMS  IN  FINITE  FIELDS 


Michael  0.  Rabin 


In  this  paper  we  utilize  the  method  of  probabilistic 


algorithms  to  solve  some  important  computational  problems 


pertaining  to  finite  fields.  The  questions  we  deal  with 


are  the  following.  Given  a  prime  p  and  an  integer  n,  how 


do  we  actually  perform  the  arithmetical  operations  of 


E  ■  GF(p  ) .  Given  a  polynomial  f(x)  of  degree  m  with  coef 
ficients  in  E,  we  wish  to  find  a  root  a  e  E  of  f(x)»  0,  if 


such  a  root  does  exist.  This  is  the  root-finding  problem 


Finally,  given  a  polynomial  f (x)  c  E[x),  we  want  to  find  the 


factorisation  f  -  f,»f 


f.  of  f  into  its  irreducible 


factors  f. (x)  c  E[x).  This  is  the  factorisation  problem 


All  of  the  above  problems  are  of  great  significance 
in  algebraic  coding  theory,  see  (2  1 ,  in  algebraic  symbol 
manipulation,  and  in  computational  number  theory. 
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Algorithms  for  the  latter  two  problems  are  given  in  Berle- 
kamp's  [2  ]  and  more  completely  in  the  important  paper  [3  ] 
which  culminates  his  own  work  on  the  subject  and  also 
incorporates  important  ideas  of  Collins,  Knuth ,  Welch, 
Zassenhaus,  and  others. 

Berlekamp  solves  the  root-finding  problem  for 
f  cGF(pn),  deg(f)  •  m,  by  reducing  it  to  the  factorization 
problem  of  another  polynomial  F(x)  c  Zp{x]  (Zp  ■  GF(p), 
is  the  field  of  residues  mod  p) ,  where  deg(F)  -  mn .  The 
problem  of  factoring  F(x)  c  Zp[xJ  is  solved  by  reducing  it  to 
finding  the  roots  in  Zp  of  another  polynomial  G(x)  e  zpt*l • 
Thus  everything  is  reduced  to  root-finding  in  Zp.  For 
root-finding  in  a  large  Zp,  a  case  in  which  search  is  not 
feasible,  Berlekamp  proposes  a  probabilistic  algorithm  in¬ 
volving  a  random  choice  of  d  c  Zp.  The  article  ( 3  J  does 
not  contain  a  proof  for  the  validity  of  this  algorithm. 

Our  starting  point  is  to  solve  directly  the  problem 
of  root-finding  in  GF(pn)  -  E  for  polynomials  f  t  E[x), 
by  a  probabilistic  algorithm  which  generalizes  to  arbitrary 
finite  fields  Berlekamp's  algorithm  for  Zp.  The  validity 
of  the  algorithm  is  based  on  Theorem  4  which  has  a 
surprisingly  simple  proof. 


We  now  base  factorization  of  a  polynomial  f(x)  c  Zp[x] 
on  root-finding  for  the  same  f.  Namely,  if  f (x)  has  ir¬ 
reducible  factors  of  degree  m,h^(x)  c  Zp(x),  l<i<k,  then 
the  product  D(x)  -  Jlh^  (x)  of  these  factors  can  be  readily 
found  by  computations  in  Zp(x).  The  roots  of  D(x)  are 
in  GF(pm)  and  the  above  root-finding  algorithm  allows  us 
to  directly  find  such  a  root  a  c  GF(pra).  The  minimal 
polynomial  h(x)  c  Zp(x]  of  a,  which  is  of  degree  m,  can  be  found 
by  one  of  two  methods  given  in  Section  3.  Now,  a  is  also 
a  root  of  some  h^  (x)  of  degree  ra,  so  that  h(x)  ■  h^(x), 
and  we  have  found  one  irreducible  factor  of  f  (x)  .  An 
iteration  of  this  process  finds  all  the  irreducible  factors. 

The  sane  algorithm  works  for  fact  ization  of  polynomials 
f (x)  c  E ( x ) ,  where  E  is  any  finite  field,  by  use  of  roots 
of  the  polynomial  f (x)  itself. 

In  terms  of  the  number  of  Zp-operations  (additions 
and  multiplications  mod  p,  of  numbers  0<a,  b<p)  used,  our 
algorithms  are  of  complexity  proportional  to  log  p.  Thus 
they  are  feasible  even  for  fields  GF(pn)  where  p  is  so 
large  that  exhaustive  search  through  Zp  is  not  possible. 

Leaving  out  the  factor  log  p  and  factors  of  order 
logn*log  logn,  the  algorithms  presented  here  have  the 
following  complexities.  A  root  of  f(x)  c  GF(pn),  deg  f  -  m, 
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can  be  found  in  0(n2m)  Zp-operations .  A  polynomial 
f(x)  c  Zp(x] ,  deg(f)  -  n,  can  be  factored  in  0(n3)  ope¬ 
rations. 

If  the  arithmetical  operations  of  the  field  E  -  GF(pn) 
are  wired  into  circuitry  so  that  an  E-operation  can  be 
viewed  as  a  unit,  then  the  above  root-finding  algorithm 
uses  0 (nm)  operation.  Under  the  same  assumption  for  the 
fields  GF (p  ; ,  i<n,  the  factorization  of  f(x)  uses  0 (n  ) 
operations. 

T*e  rt  t-finding  and  factorization  algorithms  for 
the  case  of  large  p,  given  in  (  3  1  *r®  °f  higher  order  in 
n.  Root-finding  for  f(x)  e  GF (pm) ,  deg(f)  -  n,  uses 
0((n«m)3*m)  Zp-operations .  Factorization  of  f  c  Zp(x), 
deg (f )  •  n,  uses  0(n4)  Zp-operations . 

If  p  is  small  so  that  it  is  practicable  to  find  a 

solution  in  Z  of  fix)  ■  0  by  search,  then  a  more  careful 
P 

comparison  between  the  algorithms  given  here  and  the  non- 
probabilistic  algorithms  presented  in  (3  1  is  necessary. 
The  latter  algorithm  for  factorization  will  run  in  time 
0(n3)  but  there  is  an  0(p)  factor.  Our  algorithm  will 
run  in  0(n3)  (in  the  non-preprocessed  case)  with  a  factor 
of  O(logp).  Hius  for  very  small  p,  exact  comparisons  will 


depend  on  the  numerical  constants  involved.  However, 
the  algorithms  given  here  are  sufficiently  fast  in  all 
cases  to  justify  their  use  even  for  small  values  of  p. 

The  probabilistic  nature  of  our  algorithms  does  not 
detract  from  their  practical  applicability.  The  basic 
probabilistic  step  is  a  random  choice  of  an  element  6  c  E 
which  is  then  used  in  an  attempt  to  split  a  polynomial 
f(x)  into  two  factors.  We  prove  that  for  any  fixed  finite 
field  E  and  any  fixed  f(x),  the  probability  of  success 
by  such  a  random  choice  is  at  least  half.  Thus  the  ex¬ 
pected  number  of  such  steps  leading  to  success  is  at  most 
two.  Furthermore,  in  an  algorithm  involving  many  such 
steps,  the  probability  of  a  run  of  bad  random  choices 
leading  to  a  significant  deviation  from  the  expected  total 
number  of  steps  is  very  small. 


1.  ARITHMETIC  OF  C,F(pn) 

Let  d  be  a  prime,  n  an  inteqer  and  q  »  pn.  As 
customary,  denote  by  GF (q)  ■  E  the  unique  finite  field  of 
q  elements.  In  particular  GP(p)  ■  Z^  is  the  field  of 
residues  mod  p.  Wo  want  to  actually  compute  with  elements 
of  E.  For  Zp  ■  ^{0 , 1 , . . . ,p-l ) ,  the  operations  are 

simply  addition  and  multiplication  mod  p.  If 

(1)  g(x)  -  xn  ♦  an_1xn_1+- .  .  .+a0  e  Z^lxJ  , 

is  an  irreducible  polynomial  0f  degree  n  ,  then 

GF  (pn)  £  Z  ( x )  /  (q  (x)  ) 

where  (g)  is  the  ideal  generated  by  g.  Given  such  a 
g(x),  E  can  be  represented  as  the  set  of  n-tuples  of  ele¬ 
ments  of  Z  .  Let  8  -  (b  , ,...,bft),  y  ■  (c  .,..., cn). 

p  n-l  u  n-i  u 


\ 


Addition  is  component-wise.  To  multiply,  form 
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d(x)  -  (bn_1xn-1  +  .  .  .+h0)  (cn_1xn_1+ .  .  ,+Cq) 

and  find  the  residue  6  (x)  -  d^^x”-1*.  .  .+dQ  of  d(x)  when 
divided  by  q(x).  Then  fl -y  -  (dn_  ^  ,  . .  .  ,dQ)  . 

Thus  we  need  a  method  for  findinq  an  irreducible  poly¬ 
nomial  (1).  To  tes_t  for  irreducibi lity  we  use  the  followinq. 
LEMMA  1.  Let  be  all  the  prime  divisors  of  n  and 

denote  n/t^  ■  rtu.  A  polynomial  g(x)  c  Z^[x)  of  deqree  n 
is  irreducible  in  Z^fx)  if  and  only  if 

n 

(2)  g (x) | (xp  -x) , 

n>i 

(3)  (g(x),  xp  -x)  -  1,  l^i<k, 

where  (a,b)  denotes  the  greatest  common  divisor  of  a  and  b. 

Proof .  Assume  that  q(x)  is  irreducible,  then  every  root 

n 

a  of  g(x)  ■  0  lies  in  E  *  r,F(pn)  .  Hence  ap  -  a  *  0,  and 
n 

(x-a' | (xp  -x) .  Since  q(x)  has  no  multiple  roots,  (2)  follows. 

Since  g(x)  is  irreducible  of  deqree  n,  it  has  no 
roots  in  any  field  GF(pn),  m<n.  This  directly  implies  (3). 

Assume  conversely  that  (2)  and  (3)  hold.  From  (2)  it 
follows  that  all  roots  of  q(x)  ■  0  are  in  E  *  GF(pn). 
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Assume  that  q  has  an  irreducible  factor  q^x)  of  deqree 

m<n.  The  roots  of  (x)  lie  in  GF(pm)  which  is  qenerated 

over  Zp  by  any  one  of  these  roots.  Hence  GF(pn)  tz.  E  and 

m|n.  Consequently  mln^  for  one  of  the  maximal  divisors 

m 

mi  of  n,  and  all  roots  of  q^  (x)  lie  in  GF(p  ).  Hut  then 
mi 

(g(x),  xp  -x)  is  divisible  by  q^ (x)  contradictinq  (3). 

Thus  g(x)  must  be  irreducible. 

In  computing  the  number  of  operations  required  to  test 
a  qiven  polynomial  for  primality  we  count,  here  and  else¬ 
where  in  this  article,  in  terms  of  arithmetical  operations 
of  Zp.  To  obtain  a  bi t-operations  count,  we  3hould  multiply 
our  results  by  n(p)  -  the  number  of  bit  operations  required 
to  multiply  or  divide  two  numbers  of  log  p  bits.  As  is 
well  known,  Fl(p)  can  be  taken  to  be  0(loqp  log  lop  p)  . 

In  order  to  shorten  subsequent  formulas  wo  introduce 
the  following 

Notation :  L(n)  »  loq  n«loq  log  n 

pn 

The  computation  of  (q(x),x  -x)  is  executed  by  computing 

n  J 

xp  modulo  g(x).  As  i3  well  known, xp 


can  be  calculated  by 


at  most  2* log  pn  multipl ications  mod  g(x) .  Since  we  compute 
mod  g  ( x )  we  never  deal  with  polynomials  of  deqree  greater  than 
2n. 

It  is  shown  in  [  4  ]  that  multiplying  two  n-degree 

polynomials  with  coefficients  in  any  finite  field  can  be 

done  by  0 (n  loq  n  loq  log  n)  *  0(n  L(n))  field  operations. 

Consequently  division  and  finding  remainder  can  be  done  in 

0(nL(n))  operations,  see  [  1  , p.288) .  Thus  the  basic  step 

of  computinq  r(x)*s(x)  mod  q(x),  where  deq(r),  deg(s)<n-l, 

nn 

uses  0{nL(n))  operations.  The  computation  of  x-  uses 

0(n^l,(n)  log  p)  operations. 

To  test  (3)  we  need  k<^loq  n  computations  of  the  above 

2 

type  so  that  the  total  number  of  operations  is  0(n  lognL(n)log  p) 
The  search  for  an  irreducible  polynomial  of  degree  n  is 
based  on  the  following  result  which  in  a  weaker  form,  suf- 
fucient  for  our  purposes,  of  Theorem  3.3.6  [  2  ]  .  We  oive  a 
proof  not  utilizing  generating  functions. 

LEMMA  2.  Denote  by  m(n)  the  number  of  different  monic 
polynomials  in  "nfxJ  degree  n  which  are  irreducible.  Then 


n  n/2 , 

p  -p  log  n  < 


m(n)  < 

—  n 


(4) 
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(5)  1  „  m(n)  _  1 

2n  -  n  n 
P 

Note  that  pn  is  the  number  of  all  monic  polynomials  of 
degree  n . 

Proof .  Let  g^ (x)  ,  . .  .  ,qi  (x)  ,  l  -  m(n),  be  all  the  pair¬ 
wise  different  irreducible  monic  polynomials  of  degree  n. 

Any  element  a  e  E  -  GF(pn)  which  is  of  deqree  n  over  Z 

P 

satisfies  exactly  one  equation  g^(x)  *  0  and  each  such 

equation  has  exactly  n  such  root3 .  If  H  c:  E  is  the  set 

of  elements  of  degree  n  over  7 ,  then  c(M)/n  *  m(n). 

An  element  a  c  E  is  in  H  if  it  is  not  in  any  proper 
m 

maximal  subfield  GF(p  )  CZ  E , where  nu  is  a  maximal  divisor 
of  n  (see  the  notation  in  Lcnma  1) .  "hie  cardinality  of  such 
a  subfield  is  at  most  pn and  the  number  of  these  maximal 
3ubfields  is  smaller  than  log  n.  Thus  pn  -  pn/^  log  n  <  c(H) 
from  which  (4)  and  (5)  follow. 

In  [  2  )  Berlekamp  remarks  that  Theorem  3.36  means  that 
a  randomly  chosen  polynomial  of  degree  n  will  be  irreducible 
with  probability  nearly  1/n,  without  suggesting  to  base  an 
algorithm  on  this  fact.  In  the  general  spirit  of  the  present 
paper,  we  solve  the  problem  of  finding  an  irreducible  poly¬ 
nomial  by  randomization. 
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The  algorithm  for  finding  an  irreducible  polynomial 

proceeds  as  follows.  Choose  a  polynomial  (1)  randomly  and 

test  for  irreducibility :  continue  until  an  irreducible 

polynomial  of  deqree  n  is  found.  Lemma  2  ensures  that 

the  expected  number  of  polynomials  to  be  tried  before  an 

irreducible  one  is  found  is  n.  Thus  the  expected  number  of 

operations  (in  Zp)  for  finding  an  irreducible  polynomial 

of  degree  n  is  0 (n3lognL(n) • log  p) . 

The  root-finding  algorithm  for  GF(q)  assumes  that  the 

arithmetic  of  this  field  in  given,  so  that  the  question  of 

finding  an  irreducible  polynomial  actually  does  not  arise. 

In  the  factorization  of  a  polynomial  of  degree  n  we  may 

ni 

need  computations  in  fields  C,  F(p  ),  1  <_i  <  t  #  such  that 
E  n^  <  n.  The  count  of  all  operations,  including  the  pre- 
computation  of  the  cn  (x) ,  will  use  the  following. 

LEMMA  3.  Let  n^,  l<_i<l,  satisfy  E  n^  <_  n.  The  expected 
number  of  operations  used  for  finding  irreducible  poly¬ 
nomials  hi  (x)  ,  deg  (h ^ )  -  n^,  l<i^t,  is  0(n3lognL(n)  log  p)  . 
Proof , 

3  2 

E  n ^  logr>iL(ni)  log  p  n  log  nL(n)  logpE  n^^  <_ 

<  n3lognL(n)  log  p. 


_ 
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2.  ROOTV  FINDING  IN  GF(p") 

I^t  E  -  GF(q)  be  a  fixed  finite  field,  and  f(x)  e  FfxJ 
be  a  polynomial  of  deqree  m.  We  wish  to  find  one  (or  all) 
of  the  roots  a  e  E  of  f(x)  -  0.  We  give  a  probabilistic 
algorithm  for  this  problem,  which  is  a  generalization  of 
the  algorithm  given  in  Berlekamp  (  3  J  for  prime  fields  Zp, 
to  arbitrary  finite  fields  E.  Our  proof  for  the  validity 
of  the  general  algorithm  of  course  applies  also  to  the 
special  case  of  Zp,  which  is  given  essentially  without 
proof  in  (  3  1 . 

Assume  for  the  time  being  that  g  ■  pn  is  odd.  We 
shall  indicate  later  how  to  treat  the  important  case  g  ■  2n  . 
Form  the  g.c.d. 

f x  (x)  -  (f (x) ,  xq_1-l) . 

If  fj^x)  ■  1  then  f (x)  has  no  roots  in  E.  In  general 

fL(x)  -  (x-aj)  . .  .  (x-a^) ,  k<m, 

where  the  are  all  the  pairwise  different  roots  in  E  of 
f(x>  -  0. 


Now 
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(6)  xq"l-l  -  (xd-l)(xd+l)  ,  d  -  . 

The  next  natural  step  is  to  try  (fj(x),  x  !-l)  .  If  some 

of  the  satisfy  od-l  ■  0  while  others  satisfy  ad*l  -  0# 

then  this  g.c.d.  will  be  a  true  divisor  of  f^(x),  and  we 
will  have  further  advanced  towards  the  goal  of  finding  a 
linear  factor  x-a,  i .e .  a  root,  of  f(x) .  In  general  we  are 
not  guaranteed  that  the  g.c.d  will  be  different  from  1  or 
(x) .  However,  this  advantageous  situation  can  he  created 
by  randomisation. 

Call  a,  8  c  E,  a  f1  0 ,  B  9*0,  of  di  f  ferent  type  if 
ad  ^  Bd»  where  d  - 

THEOREM  4.  Let  0^,02  e  E,  ?  02 • 


■  c ( { 6 |  6eF,  and  a2*6  are  of  different  type  }) 


Proof .  The  elements  and  are  of  different 

type  if  and  only  if  neither  is  zero  and 
/a,+(5\d  /a,+6\d 


(jt+t)  *  11  hence  (st+t)  ’  -1* 
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The  equation  xJ  -  -1  has  exactly  d  -  solutions  in  F. . 

a. +6 

Consider  the  1-1  mapping  $(6)  ■  —  — ^  .  As  6  ranges  over 

E  ”02)*  4(6)  ranges  over  F  -  {1}.  'rhus  for  exactly 

values  of  5,  $(5)cl  ■  -1.  This  implies  (7)  . 

COROLLARY  5.  Consider  for  5  e  E  the  g.c.d  f  (x)  -  (f .  (x)  , 

6  * 

(x+6 )  {*-l )  .  We  have 

(8)  y  <  Pr<6|  °<  deg  f^(x)<deg  fj) 

Proof .  The  common  roots  of  f^(x)  and  (*+6)^-l  are  those 
ai  ^l^ai^  ■  0)  for  which  (a^+6)li-l  ■  0.  By  Theorem  4, 

with  probability  1/2,  a^  +  6  has  this  property  while  +  G 

does  not,  or  vice-versa.  This  entails  (8).  Actually  the 

V 

probability  is  nearly  1-1/2  ,  where  deg  fj“k,  but  we  cannot 
prove  this. 

Root-finding  algorithm.  Given  f (x)  of  degree  m, 
compute  fx (x) .  Choose  6  c  F  randomly  and  compute  f ^  (x)  . 

If  0<deg  f^  <  deg  f^  then  let  fjix)  ■  ffi(x)  or  fj(x)  - 
f^/f^,  according  as  to  whether  deg  f^  <_  1/2  deg  fj  or  not. 

If  f^  -  1  or  fj  ■  f^  choose  another  5  and  repeat  the  previous 
step.  By  Corollary  5,  the  expected  number  of  choices  of 
4  c  E  until  we  find  fjix)  is  less  than  2. 
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Si  nee  the  degree  is  at  least  halved  in  each  step, 
after  at  most  log  m  steps  we  find  a  linear  factor  x-a^ 
of  f  (x) ,  i.e .  a  root. 

The  number  of  (field  -E)  arithmetical  operations  re¬ 
quired  for  finding  f^(x)  and  f2(x)  is  0(n.m  L(m)loq  p) ,  where 
E  *  GF(pn).  Since  deg  f 2<^  y  m ,  it  follows  that  the  number 
of  operations  for  finding  f-j(x)  is  at  most  half  the  number 
of  operations  for  finding  f 2 ;  and  similarly  for  f^  etc. 

Thus  the  total  number  of  F-operations  used  for  finding  a 
root  of  f (x)  is  still  just  0(n*mL(m)loq  p) . 

In  terms  of  operations  in  ZR,  each  E-operation  re¬ 
quires  0(nL(n))  operations  with  residues  modulo  p.  Thus 
the  total  (expected)  number  of  Z^-operations  for  root¬ 
finding  is 

(9)  0  (n^  *ml.  (m)  I.  (n)  log  p) 

3.  FACTORIZATION  OF  POLYNOMIALS 

Let  f (x)  c  Zplxl  be  a  polynomial  of  degree  n  which  we 
want  to  factor  into  its  irreducible  factors.  We  may  assume 
that  f'(x)  (the  derivative)  is  not  zero.  For  otherwise 
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f(x)  -  (g(x))p  where  g*(x)  /  0  and  this  g  is  readily 
found.  For  example ,  x^p+a  xp  ♦  b  ■  (x^+a  x  +  b)p#  By 
calculating  (f(x),  f'(x))  ■  h(x),  and  f/hjWe  have  reduced 
the  problem  to  factoring  a  polynomial  with  no  repeated 
factors.  Calculate 

m 

9m<x)  "  ^  *  xp  -x)  ,  l<m<n. 

Since  GF(pm)  consists  exactly  of  all  the  elements  of 
degrees  i,  ijra,  over  Zp,  we  have  that  gm(x)  is  the  product 
of  all  irreducible  factors  h(x)|f(x)  of  deqrees  i|m. 

Choose  the  g^  /  1  of  lowest  index  m.  If  deg  (gm)  -  i, 

then 

gm<*>  "  hj  (x)  .  .  .h^  (x)  ,  k.m  -  |  , 

and  each  h^ (x)  is  irreducible  of  degree  m.  All  roots  of 
9m(x)  ar®  GF(pm).  Find  a  root  a  of  gm(x)  ■  0.  This 

root  is  a  root  of  a  unique  hi  (x)  . 

To  find  this  h^  (x)  form  the  powers 

(10)  1,  a,...,  a™. 

These  elements  of  GF(pm)  are  m-component  vectors  with 
coordinates  in  Zp.  Solve  the  system  of  linear  equations 


-17- 


(H)  ♦  b|Q^»  • «  b  .  ^  4-  a*  ■  q 

u  1  IK- 1  ' 

where  the  ,  0 <^i <m- 1 ,  are  the  unknowns  and  the  coordinates 

of  the  a1  are  the  coefficients.  Now,hi<x)  - 

m . .  m-1  , 

x  *bm-lx  +---+b0* 

Another  way  for  computinq  h^(x)  was  suqqested  by  m. 
Ben-Or.  Note  that  h^x)  is  irreducible  of  deqree  m.  Since 
♦(C)  ■  CP  is  an  automorphism  of  GFCp™)  over  the  field  Zp, 
the  conjugates  of  a  are 

m-1 

( 1 ^ )  q a  ^  Qf  a.  *  a  a  .  ®  a  . 

u  i  m — i 

The  polynomial  h^(x)  is  now  obtained  by  the  calculation 
in  GF(pm)  of 

(I3)  h^(x)  -  (x-o0)  (x-aj)  .  .  .  (x_am_i)  • 

Using  either  one  of  the  above  methods,  one  irreducible 
factor  of  g  (x)  (and  of  (x))  is  found. Next  we  find  a  root 

IT1 

8  of  gm(x)/hi(x)  and  another  factor  h^(x)  of  g^fx),  and  so  on. 


% 
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Proceeding  to  factor  the  other  g^(x),  we  choose 
gr(x)  $  1  with  the  lowest  index  m<r.  If  mfr  then  gr(x)  is 
the  product  of  irreducible  factors  of  degree  r.  If  m|r 
then  gm|gr#  and  gr/nm  is  the  product  of  such  factors. 

Factor  g  (x)  or  q  _/q_  into  its  irreducible  factors  of 
degree  r  by  one  of  the  above  methods. 

In  general,  let  ..<nt<n  be  the  indices  for  which 

gm  |  1.  After  i-1  steps  we  found  (x) , . . . (x) ,  where 

0^ (x)  is  the  product  of  all  irreducible  factors  of  deqree 

of  f (x) ,  and  each  D..(x)  is  factored.  (Mote  that 

D.  (x)  =  1  is  possible  despite  g  |  1,  '‘or  example,  f(x) 

1  nj 

may  have  irreducible  factors  of  degrees  2  and  3,  but  no 
irreducible  factors  of  deqree  6.  In  this  case  ^(x)  f  1, 

D3 (x)  $  1,  Dfi(x)  =  1,  and  q^fx)  ■  D2(x)D3(x).)  Now, 

(14)  D,  (x)  -  g  (x)/  n  D.  (x) . 

1  mi  mi|ml  1 

n  ^  <nu 

If  0^(x)  |  1  and  m^<deg  (x) ,  then  factor  it  by  the  above 
method.  If  it^  -  deg  D^x)  then  D^fx)  is  already  irreducible 
of  degree  m^,  and  f (x)  has  exactly  one  irreducible  factor 


of  this  degree. 
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4 .  COUNTING  OPERATIONS 


Let  us  now  count  the  number  of  7.p-operations  re¬ 
quired  to  factor  a  polynomial  f  (x)  c  7. ^ [ x )  of  degree  n. 

The  cost  of  getting  rid  of  multiple  factors  of  f (x)  and 
of  discovering  the  factors  (x)  defined  in  Section  3 
is  majorized  by  the  cost  of  factoring  the  (x) ,  so  that 
we  confine  ourselves  to  estimating  the  latter  cost. 

We  have  f (x)  -  (x) . . .Dfc (x) ,  where  deg  -  d^. 

Each  D^(x)  -  hu(x).....hu  («),  where  deg  hj^  ■  , 

and  h^  is  irreducible.  The  algorithm  of  Section  3  seeks 
roots  of  n^fx)  -  0,  one  for  each  factor 


l 

h^(x),  so  that  h^ffl.j)  »  0.  Using  the  operation  count 

(9)  for  root-finding,  where  n  =  m^  (because 
ra< 

Sj  c  GF(p  x),  l<j<kt)  ,  and  deg  DJl  -  dj,  we  get 
2 

0  (midi  L(mi)  log  p)  for  finding  one  root,  say  Bj. 

We  then  find  h^  (x)  by  (11)  or  (13).  Next  we  find  a  root  of 
(x) /h^ j (x) .  so  that  we  are  sure  that  the  root  belonqs  to 

a  h^  +  h^i*  Overestimating  by  not  using  the  fact  that 


1 
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deg  (Di/hil)  -  di_r'i  etc**  we  qet  Ot^m^r  Lfd.JLfnK)  log  p) 
for  total  number  of  Z^-operations  to  find  the  relevant  roots 
of  (x) .  Since  k^m^  ■  d^  and  ra^<d^  we  get 

(15)  0(d3  L(d.)2  log  p) 

as  a  bound  on  these  operations  for  D^(x).  Since  n  «  Id^ 
wo  obtain  by  summation  from  (15),  in  the  manner  of  deriving 
Lemma  3 , 

(16)  0(n3  L (n) 2  log  p) 

as  a  bound  on  cost  of  finding  all  the  necessary  roots  of 
all  the  (x ) . 

The  first  method  for  finding  the  h^(x),once  a  root 

2 

for  each  h^(x)  is  given,  employs  0(m^L(m^))  Z^-operations 
to  calculate  the  sequence  (10)  of  powers  of  the  given  root. 
The  solution  in  of  the  system  (11)  of  m  linear  equations 
in  m  unknowns  uses  0(m3)  operations  which  majorizes  the 
previous  term.  Summing  over  all  the  h^  (x)  and  over¬ 
estimating  we  get  0(n3)  Z^-operations  for  finding  all  the 
h^fx),  l<i <t,  1  <kA • 
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We  now  estimate  the  operations  used  in  Ben-Or's 
method  for  computing  the  h^  (x)  from  the  roots.  Using  the 

notation  of  (12)  and  (13)  ,  so  that  the  root  is  a  and 

m 

deg  (h^ (x) )  ■  ra^ ,  we  use  0  (m^  log  p)  GF(p  ) -multiplications 

to  perform  the  raisings  to  exponent  p.  Counting  Z^- 
operations,  we  get 

(17)  0  (m2  L(ra^)  log  p) 

operations  for  computing  the  sequence  (12). 

The  formation  of  the  product  (13)  is  a  computation  of 
the  polynomial  h(x)  from  its  given  roots  ag *ai *  •  • • *°ra_i • 

Using  the  result  of  (1, p.299  ),  and  taking  into  account  that 
in  a  finite  field  we  require  0 (m  L(m))  (instead  of  0 (m  log  ra) 
operations  to  multiply  two  polynomials  of  degree  m,  we  get 
that 

(18)  0( (miL(mi))2  log  mi) 

operations  of  Zp  are  used  to  form  each  h^  .  Since  D^(x) 
has  ki  factor  h^tx),  end  <*eg  Di  •  get 
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frora  (17)  ,  (18)  the  upper  estimate 

(19)  0 ( (nL (n) ) ^  (log  n  +  log  p) ) 

for  the  Zp-operations  used  in  Ben-Or's  method  to  find  all 
the  irreducible  factors  h^fx),  l<i<t,  of  f(x), 

once  a  root  of  each  factor  was  computed. 

5 .  SUMMARY  OF  RESULTS  AND  EXTENSIONS 


The  root-finding  method  of  Section  2  is  not  applicable 
to  polynomials  f (x)  GF(2n) (xj .  However,  a  small  modifi¬ 
cation  does  work.  Instead  of  x^  ^ - 1  we  use  the  polynomial 

2  2m-1 
Tr (x)  ■  x  ♦  x  + . .  .♦x 


For  a  c  GF(2n)  -  E  we  have  T(a)^  ■  T(a)  so  that  every  a  is  a 
root  of  T(x)  -  0  or  of  T(x)  *  1.  Also  T(a+8)  »  T(a)  ♦  T(8) . 

THEOREM  6.  If  ai  ,a2  c  E'  then 

2n‘l  -  c  ( {  6  |  T(6a1)  +  T(6a2)}). 
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Proof.  T(aai)  I  T(6a2)  iff  T <a(a1+a2))  f  0  i.e.  -  1. 

Now  a^+a2  f  0  80  that  8  ■  6(a^+a2)  runs  with  6  through  all 
8  e  E.  In  particular,  for  appropriate  values  of  6,  all  the 
2n  ^  roots  of  T(x)  -  1  are  obtained.  This  proves  the  theorem. 

Based  on  Theorem  6,  we  have  a  probabilistic  root¬ 
finding  algorithm  for  polynomials  f  c  E[x]  which  is 
completely  analogous  than  the  algorithm  in  Section  2  . 

The  factorization  algorithms  for  polynomials 
f (x)  t  Zp(x)  given  in  Section  3  immediately  generalizes  to 
polynomials  with  coefficients  in  a  general  finite  field 
E  ■  GF(q).  The  operations-count  are  the  same,  with  E- 
operations  replacing  Z^-operations . 

We  summarize  our  results  as  follows. 

1 .  Finding  irreducible  polynomials. 

The  expected  number  of  steps  for  finding  an  ir¬ 
reducible  polynomial  g(x)  t  Z^lx),  of  degree  n  is 
0(n3log  n  L(n)  log  p) .  Any  such  polynomial  enables  us  to 
compute  in  GF(pn). 

2 .  Root- finding . 

The  expected  number  of  Z^-operations  used  to  find  a 
root  in  E  ■  GF(pn)  of  a  polynomial  f(x)  c  E[x]  of  degree 
m  is  0(n2m  L(m)  L(n)  log  p) . 
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If  the  arithmetic  of  GP(pn)  ia  directly  wired  into 
circuitry  so  that  an  P.-ari thraetical  operation  is  counted 
as  one  operation,  then  the  number  of  operations  for 
root-finding  is  0(n«m  L(m)  log  p) , 

3.  Pactorixatlon  into  irreducible  factors 

The  total  number  of  ^-operations  for  factoring  a 
polynomial  f  c  Zp[x]  of  degree  n  is 

0(n3log  n  L(n)  log  p)  ♦  0(n3L(n)2  log  p)  ♦  0(n3) 

Here  are  included  the  computations  of  the  necessary  ir¬ 
reducible  polynomials  g^(x)  needed  for  the  arithmetics  of 
the  relevant  fields  GP(pm).  The  last  term  represents  the 
operations  used  to  solve  linear  equations  under  the  first 
method. 

If  we  assume  that  the  arithmetics  of  all  fields  GPtpm) , 
m<n,  are  performed  by  wired  circuitry  then  it  is  preferable 
to  use  the  second  method  for  computing  the  factors  from  the 
roots,  based  on  (12)  and  (13).  Prom  (16)  and  (19)  it  fol¬ 
lows,  since  each  GP(pm)  operation  is  counted  as  one  ope¬ 
ration,  that  the  number  of  operations  used  for  factoring  a 


polynomial  of  degree  n  into  irreducible  factor*  ia 

0(n2L(n)  log  p)  ♦  0(nL(n)(log  n  ♦  log  p) ) . 

The  first  term  majorixes  the  second  terra,  but  we  display 
the  latter  as  well  since  it  reflects  the  structure  of  the 
algorithm. 
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